CyberCube has given an early estimate of insurance losses from the 19 July CrowdStrike event, ranging from US$400m to US$1.5bn for the standalone cyber market.
This range represents a 3-10% loss ratio impact on global cyber premiums, based on a US$15bn figure.
“This scale of loss could make the CrowdOut event the largest single insured loss event in the history of the affirmative cyber insurance industry over the past 20 years,” the cyber analytics provider said in a note about the incident. “At the same time, an event of this scale does not come close to the extreme scenarios currently being modelled by cyber insurers and reinsurers.”
According to CyberCube’s current estimates, the event represents a loss between the 1-in-2 and 1-in-6-year industry loss return periods.
CyberCube’s Portfolio Manager product, used by 30 of the 40 largest US and European cyber insurers, more severe scenarios could reach loss ratios of 234% for 1-in-200-year return period.
“As such, the [CrowdStrike] event is a major event for the cyber insurance market but does not come close to the destructive potential that leading insurers are holding capital against,” said CyberCube.
Despite the relatively lower estimated insured loss numbers, CyberCube believes this event will provide valuable material for counterfactual analysis to validate model credibility.
“For example, had this event been a malicious attack that deployed ransomware bricking a large number of computer systems, the losses would have been far worse,” the company explained.
CyberCube
CyberCube expects carriers to see disproportionate losses in portfolios with significant large corporate exposures.
The time to recover systems will also vary widely, impacting the applicability of business interruption coverage, CyberCube said.
Business interruption waiting periods or time-based deductibles usually range from 8 to 12 hours but can extend from 6 to 24 hours. Recovery times differ greatly between large and small companies due to their IT remediation capacity and the complexity of their IT infrastructure.
The non-malicious nature of the event also influences the insurance coverage triggered in policies.
“This means that contingent business interruption from ‘system failure’ will likely be the loss trigger,” CyberCube said, adding, “This coverage may not be offered as standard in many policies and where offered, will often be sub-limited.”
CyberCube noted that its estimates are provisional and based on the best, currently available information, as the event is still unfolding with a significant percentage of systems yet to be restored.
